CodeCov was compromised and used in some dlang-community repositories with the same GitHub access token for travis to upload releases. GitHub sent me a mail that the access token was potentially compromised and had suspicious behavior.

I have disabled the GitHub access token that is used for dlang-community releases, but it seems like I cannot access the travis settings to manage secrets anymore. (or can't find them)

So currently the release scripts will be broken. Anyone with access to the secrets on Travis who can put in new access tokens?

It used to be tokens by Basile who has quit GitHub before, so I replaced them with my personal access tokens which are now compromised and can't be used anymore. For new access tokens I can't find the access, but it would be nice if the dlang-bot's access tokens could be used for this instead.

See https://github.com/dlang-community/DCD/issues/634

On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:

No this kind of stuff (CI, devop,...) were always managed by Seb. Eventually maybe the owner of the tokens would be HackerPilot ?

BTW for the other folks who maybe are not sure what to do: the big problem was when your CI exposed secrets. If you dont expose secrets, like personnal access tokens, you migh have received an alarmous mail, like the one mentioned, but it does not mean that there's a problem.

The reason why you might got the email is that at the account level (personnal or organization)

1. you have defined one token.
2. one of the repo registered under this ID uses CodeCov.
3. by security they sent the mail.

And even if you have exposed the secret, it does not mean that it had a Write Access.

On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:

Lol forget this... this is BS. They cant know that, unless they have colaborated with GH and GL, it's different company.
So the reason why we got the second mail might be even more simple:

1. you use CodeCov

On Wednesday, 5 May 2021 at 12:51:37 UTC, Basile B. wrote:

The write access criterion is still valid however.

On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:

I remember now. I've deleted the ones setup by Seb by error. Then automatic releases were broken. Then the ones I regenerated did not work because I missed some info to link to the release bot, probably only Seb could do that. So those tokens were not able to do anything anyway. You should test if the new ones are able to upload, let's say by pushing a tag somewhere.

You should find a trace of this, in the community discussion of dlang-community.

On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:

oh right sorry, thought that was the case because they broke roughly around that time.

I think it was compromised because they sent me a mail that it had been used in "suspicious requests" along with information of the IPs that made the requests.

On Wednesday, 5 May 2021 at 15:13:17 UTC, WebFreak001 wrote:

I did not get this one for my gitlab stuff. I got the first one like everyone. A second a few days ago, saying "you're compromised", but there was no details like an IP.

Anyway you should try to push a tag in one of the repo with the new token. There are chances that this will not work, as those you deleted did not either, as it did not way before the codecov security event.